In a completely unprecedented legal action, Facebook-owned WhatsApp is suing Israeli surveillance technology firm NSO Group in U.S. federal court, alleging that NSO group exploited a WhatsApp hack in order to spy on more than 1,400 people in 20 countries. The list of those caught up in the NSO Group spy hack includes journalists, human rights activists, political dissidents, prominent female leaders, and other members of civil society. This marks the first lawsuit of a technology company versus a for-profit digital surveillance company.
Details of the WhatsApp hack
According to WhatsApp, which filed its court case in the U.S. District Court of the Northern District of California, NSO Group has engaged in an “unmistakable pattern of abuse” that insidiously targeted individuals of civil society. NSO Group, as might be imagined, says that it will “vigorously fight” the lawsuit, claiming that it only sells its surveillance technology to governments and other clients (such as law enforcement agencies) for the purposes of fighting terrorism and serious crime.
As more and more details of the hack emerge, though, a very different picture emerges. Over a two-week period in April-May 2019, clients of NSO Group went on a “hacking spree.” By placing a video WhatsApp call to an unsuspecting victim, NSO Group customers were able to infect that phone with malware – even if the victim didn’t actually respond to the video call. This hack leveraged a known security vulnerability in the WhatsApp app. Once the malware was installed on the phone, it could be used to snoop on communications, access photos, activate cameras or microphones, or scroll through contact lists. In short, the victim of the WhatsApp would basically be placed on 24/7 surveillance, making it possible for governments to track dissidents or to harass human rights activists at will.
In its lawsuit, WhatsApp details how NSO Group carried out the WhatsApp hack. The company suggests that the sole purpose of NSO Group’s program was to provide surveillance technology to the highest bidder. In order to figure out how NSO Group managed to piggyback on WhatsApp’s encrypted messaging technology stack, the tech firm worked carefully with surveillance technology experts at Citizen Lab, which is affiliated with the University of Toronto. In the past, Citizen Lab has helped victims of surveillance technology, and is particularly well versed in how malicious malware placed on mobile phones can be used to snoop on individuals without their knowledge. According to WhatsApp and Citizen Lab, the primary targets of the WhatsApp hack included individuals in Mexico, Bahrain and the United Arab Emirates. The big tip-off for the researchers was the fact that each of these individuals received a WhatsApp video call from a complete stranger. When they dug a little deeper, they also uncovered a message from an NSO Group employee to a WhatsApp employee, lamenting the fact that WhatsApp was closing the security loophole that made the WhatsApp hack possible in the first place.
Governments and surveillance technology
While this is the first time that a tech company is directly challenging a for-profit digital surveillance technology company, this is hardly the first time that victims of surveillance technology have attempted to win justice in the courts. One of the NSO Group’s primary surveillance tools, a piece of software known as Pegasus, has been the subject of Israeli court cases in the past. And, most notably, a Saudi citizen who was close to slain Saudi dissident Jamal Khashoggi, says that NSO Group specifically targeted his phone in order to conduct surveillance programs against those individuals representing a threat to the Saudi government.
That might help to explain why so many of the victims of the WhatsApp hack were in Bahrain and the UAE – it’s clear that Middle Eastern governments have embraced surveillance technology as a tool to crack down on dissent. NSO Group is one of a handful of companies around the world that sells surveillance technology to governments, including those in the Middle East.
Given the possibility for abuse of this surveillance technology, the UN special rapporteur on the freedom of expression, David Kaye, has called for an outright moratorium on the use of these surveillance technology tools in the strongest possible terms. In a worst-case scenario, he says, they could lead to the harassment, abuse, or even death of dissidents, activists, journalists or civil society leaders. The WhatsApp hack is just the latest example of this dynamic at work.
The head of WhatsApp, Will Cathcart, now supports such a moratorium on surveillance technology. In a Washington Post op-ed, he notes, “Tools that enable surveillance into our private lives are being abused.” He also noted the “proliferation” of these surveillance technology tools to “irresponsible companies and governments.” WhatsApp, in addition to calling for an immediate halt to an NSO Group effort to exploit or piggyback on its technology, now supports an immediate moratorium on the sale, transfer or use of dangerous spyware. It is also beefing up its security to make sure that another WhatsApp hack won’t take place in the future.
Regulation of surveillance technology
At some point, governments will need to get involved in helping to regulate surveillance technology, especially when used by firms outside of intelligence and law enforcement. The current system of self-regulation and self-reporting is not working. For example, consider the fact that NSO Group put into place a “human rights policy” at the end of last year that sought to bring much more oversight into the use of its technology by customers, as well as much more due diligence in how surveillance technology might be used to usurp the human rights of individuals. Yet, as critics have noted, this NSO Group policy was basically a lot of hot air and nothing more. It relied too much on the self-reporting of customers, and did not go far enough in establishing privacy as a fundamental human right.
As Citizen Lab notes, the WhatsApp lawsuit regarding the WhatsApp hack represents a “huge milestone in digital rights and privacy.” In the past, tech firms might have been cautious about getting involved in these types of lawsuits, in part because they would have to reveal the inner workings of how their technology operates. And they did not want to challenge government, intelligence and law officials outright – far better to work behind the scenes. But it’s clear that the pattern of abuse and manipulation has gone too far. While there might be some legitimate uses for surveillance technology – such as the tracking down of known terrorists or criminals – it’s clear that certain guidelines and guardrails need to be put into place such that surveillance technology is not available simply to the highest bidder.